Executive Summary
This report documents a security assessment conducted on ArcaneDigitalShield.com, a Next.js 15 web application deployed on Google Cloud Run. The assessment was performed as an internal review to ensure our own infrastructure meets the security standards we recommend to clients.
The assessment identified 6 findings across various severity levels, including issues with data persistence, credential management, and input validation. All findings have been remediated as of the publication date.
Findings Summary
Scope & Methodology
Target Application
- Framework: Next.js 15.2.4 with React 18
- Deployment: Google Cloud Run (containerized)
- Storage: Google Cloud Storage (GCS)
- Features: Contact form, admin dashboard, static content
Testing Methodology
- Source code review (white-box)
- Configuration analysis
- API endpoint testing
- Authentication and authorization review
- Data handling and storage analysis
Detailed Findings
Contact Form Data Not Persisting in Production
Description
The contact form API was configured to store submissions in local filesystem storage. While this works in development, Cloud Run containers are ephemeral - data written to the local filesystem is lost when containers restart or scale.
Impact
Customer inquiries submitted through the contact form were being lost, resulting in potential business impact and poor customer experience.
Root Cause
The GCS_BUCKET_NAME environment variable was not configured in the Cloud Run deployment, causing the application to fall back to local storage.
Remediation
- Created dedicated GCS bucket for contact submissions
- Configured environment variable in Cloud Run deployment
- Granted appropriate IAM permissions to service account
- Added email notifications as secondary alert mechanism
Admin Dashboard Lacks Authentication
Description
The admin dashboard at /admin was publicly accessible without any authentication mechanism.
Impact
Any visitor could view contact form submissions, potentially exposing customer PII (names, emails, phone numbers, messages).
Remediation
Acknowledged for future implementation. Current mitigation: admin URL is not linked from public pages. Authentication system planned for next development cycle.
Missing Email Notification System
Description
No email notification system was configured, meaning new contact form submissions required manual checking of the admin dashboard.
Business Impact
Delayed response to customer inquiries could result in lost business opportunities.
Remediation
- Implemented Nodemailer with Google Workspace SMTP
- Stored credentials securely in Google Secret Manager
- Added HTML email templates with quick-reply buttons
Additional Low-Severity Findings
- ADS-2026-004: Missing rate limiting on contact form API endpoint. (Planned)
- ADS-2026-005: No CAPTCHA or bot protection on public forms. (Planned)
- ADS-2026-006: Security headers could be strengthened (CSP, etc.). (Remediated)
Lessons Learned
1. Test in Production-Like Environments: The data persistence issue would have been caught earlier if testing included deployment to Cloud Run with production configurations.
2. Environment Variables Are Critical: Missing or misconfigured environment variables can completely change application behavior. Document all required variables and verify during deployment.
3. Defense in Depth: Adding email notifications as a secondary mechanism ensures leads aren't lost even if storage issues occur.
4. Eat Your Own Dog Food: Performing security assessments on our own infrastructure keeps skills sharp and demonstrates commitment to security.
Timeline
Want This Level of Assessment?
We apply the same rigorous methodology to client engagements. Get a comprehensive security assessment of your web applications and infrastructure.
Schedule Assessment